Hey everyone !<br><br>I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2 with an Active Directory 2008.<br>It's my fisrt radius install so go easy with me, I'm a noob :)<br><br>I've followed the following howto : <a href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</a><br>
and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified.<br><br>I'm no trying to connect a Windows 7 supplicant using that radius server. (That client is configured to use "Microsoft : Protected EAP (PEAP)", "validate server certificate" is unchecked and the authentication is on "secured password (EAP-MSCHAPv2)".<br>
<br>The problem seems to be that my client stops answering after 4-5 Access-Challenge. I saw the remarks about the xpextensions of the certificats and make sure that the included makefile correctly uses the xpextensions wich it seems to be doing.<br>
<br>The full debug is here : <a href="http://pastebin.com/B86AgN1N">http://pastebin.com/B86AgN1N</a><br><br>It's seems that mschap correctly authentifies the user : <br><br>Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...}<br>
Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list<br>Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2<br>Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2<br>Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...}<br>
Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for gchavepeyer with NT-Password<br>Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the User-Name.<br>Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --domain=%{mschap:NT-Domain:-EUROPE} -> --domain=EUROPE<br>
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=gchavepeyer<br>Fri Mar 18 09:51:31 2011 : Info: [mschap] mschap2: 5c<br>Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=82d538878ea2db35<br>
Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f<br>Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF<br>
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF<br>Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0<br>Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys<br>
Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok<br>Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success<br>Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled<br>} # server inner-tunnel<br>Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11<br>
EAP-Message = 0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331<br>
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11<br> EAP-Message = 0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331<br>Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge<br>Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled<br>Sending Access-Challenge of id 29 to 10.32.25.204 port 32768<br>
EAP-Message = 0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x11c1c21a16d5dba84c633101b1a44bc3<br>Fri Mar 18 09:51:31 2011 : Info: Finished request 7.<br>Fri Mar 18 09:51:31 2011 : Debug: Going to the next request<br>Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds.<br>
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp +27<br>
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds.<br>
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp +27<br>Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp +27<br>
Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests.<br><br>The server send an Access-Challenge (instead of a Access-Accept ?) again but the client never answers back and the client gets a "unable to connect to xxxx...."<br>
<br>Can someone please help me with this ? (All my configuration is visible in the first debug lines but if needed i can post the content of any file.)<br><br>Thanks a lot !!!<br>Geoffrey.<br>